Google was caught bypassing privacy settings in Safari last week, and now …

Google was caught last week bypassing default privacy settings in the Safari browser in order to serve up tracking cookies. The company claimed the situation was an accident and limited only to the Safari Web browser, but today Microsoft claimed Google is doing much the same thing with Internet Explorer.

In a blog post titled "Google bypassing user privacy settings" Microsoft's IE Corporate Vice President Dean Hachamovitch states that "When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies."

Hachamovitch explains that IE's default configuration blocks third-party cookies unless presented with a "P3P (Platform for Privacy Preferences Project) Compact Policy Statement" indicating that the site will not use the cookie to track the user. Microsoft accuses Google of sending a string of text that tricks the browser into thinking the cookie won't be used for tracking. "By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked," Microsoft said.

The text allegedly sent by Google actually reads "This is not a P3P policy" and includes a link to a Google page which says cookies used to secure and authenticate Google users are needed to store user preferences, and that the P3P protocol "was not designed with situations like these in mind."

Microsoft said it has contacted Google to ask the company to "commit to honoring P3P privacy settings for users of all browsers." Microsoft also updated the Tracking Protection Lists in IE9 to prevent the tracking described by Hachamovitch in the blog post. Ars has contacted Google to see if the company has any response to the Microsoft allegations, and we'll update this post if we hear back.

UPDATE: It turns out Facebook and many other sites are using an almost identical scheme to override Internet Explorer's privacy setting, according to privacy researcher Lorrie Faith Cranor at Carnegie Mellon University. "Companies have discovered that they can lie in their [P3P policies] and nobody bothers to do anything about it," Cranor wrote in a recent blog post.

UPDATE 2: Google has gotten back to us with a lengthy reply, arguing that Microsoft's reliance on P3P forces outdated practices onto modern websites, and points to a study conducted in 2010 (the Carnegie Mellon research from Cranor and her colleagues) that studied 33,000 sites and found about a third of them were circumventing P3P in Internet Explorer.

"Microsoft uses a 'self-declaration' protocol (known as 'P3P') dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form," Google Senior VP of Communications and Policy Rachel Whetstone says in a statement e-mailed to Ars. "It is well known—including by Microsoft—that it is impractical to comply with Microsoft’s request while providing modern web functionality."

Facebook's "Like" button, the ability to sign into websites using your Google account "and hundreds more modern Web services" would be broken by Microsoft's P3P policy, Google says. "It is well known that it is impractical to comply with Microsoft’s request while providing this web functionality," Whetstone said. "Today the Microsoft policy is widely non-operational."

That 2010 research even calls out Microsoft's own msn.com and live.com for providing invalid P3P policy statements. The research paper further states that "Microsoft's support website recommends the use of invalid CPs as a work-around for a problem in IE."

P3P and Google's cookiesIn some situations, the cookies we use to secure and authenticate your Google Account and store your preferences may be served from a different domain than the website you're visiting. This may happen, for example, if you visit websites with Google +1 buttons, or if you sign into a Google gadget on iGoogle.

Some browsers require third party cookies to use the P3P protocol to state their privacy practices. However, the P3P protocol was not designed with situations like these in mind. As a result, we've inserted a link into our cookies that directs users to a page where they can learn more about the privacy practices associated with these cookies.

Information that Google collects in association with these cookies is subject to our Privacy Policy. If you have any questions about our cookies and P3P, please feel free to contact us or write to us at:

and facebook:CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"

Quote:

Thanks for your interest in privacy at Facebook. You are seeing this message because you attempted to access Facebook's Platform for Privacy Preferences (P3P) compact policy.

The organization that established P3P, the World Wide Web Consortium, suspended its work on this standard several years ago because most modern web browsers do not fully support P3P. As a result, the P3P standard is now out of date and does not reflect technologies that are currently in use on the web, so most websites currently do not have P3P policies.

At Facebook, we work hard to give you control over the information you Share and provide you information about how we collect and use your data. We provide information on these issues in our privacy policy, and we update our policy regularly to reflect new products and features that impact our privacy practices. I have more questions about this policy.

If tracking cookies are 'evil' when they are used by Google... what are they when used by a techno-blog? I am counting 9 here with Ars and even more on other sites. I don't think it matters which browser someone uses or if they have a 'do not follow' setting... tracking cookies are the SOP (standard operating principle) for the web and how it is ultimately financed.

It's very amusing when Google's apologists find excuses for behavior that would have them frothing at the mouth if the behavior were from Apple or Microsoft. The truth is that Google is a huge company that's trying to make money and exert its control on as much of the world as possible. It has its own agenda. When its agenda happens to coincide with the "open" religious principles of its fans, the company is happy to piously spout those words. But when push comes to shove, the company is going to do what's in its own best interests. I don't have a problem with a company aggressively competing. I'm just amazed when anybody buys into the PR enough to think that a company is its friend. We all have our own agendas -- and a company's agenda is money and power. Those who believe Google is different in that way are either stupid or very naive.

... you think Microsoft would have fixed this "bug" by now but I digress...

They did. If you read MS's blog post, they recommend people upgrade to IE9.

But, from my understand, it might be misleading to call it a 'bug'. What Google is doing is sending pre-IE9 browsers a P3P string that (amusing) says "This is not a P3P policy!". That confuses the browsers and so they (by design) fall back to assuming they are out of date and allow the web site to basically do what it wants (still within reason, it's not really a remote exploit).

And if you read the blog post some more you see it's just a blacklist/whitelist. So no the bug isn't "fixed", they just specifically block google now. Can someone let me know if facebook is also on that list or is facebook okay for tracking?

The fact that it took a correction to the article to point out that Facebook, Amazon, and others have used or used this kind of header tag (and the first comments of the article referring to "don't be evil") says to me that people where thinking that Google and only Google's hand was caught in the cookie jar, when that wasn't true. It's been repeated on every site that this story has appeared.

in everybody else's defense .... they never said they are not evil ....

And how is this evil?

The Doubleclick cookie getting past Safari's settings is a problem, and Google has claimed it's a mistake and have said they have stopped doing it. That's unfortunate for them, and they should be penalized for it.

However, in every other case, Google has said that this cookie is to allow logged-in users to maintain their logged-in status and preferences when moving between a) sites that don't use the google.com cookie (think Blogger, Youtube, etc.) and b) sites that use the +1 button. To me, as a user of their services, that's a good thing and something I _want_ them to do.

I've pointed out previously that Paypal engineers attending a W3 workshop on privacy pointed out the issues with P3P and how it handles "third-party" cookies that really shouldn't be considered third-party at all. It might help to see the other side of this argument. (Here's their paper.)

I'm not going to say that Google doesn't deserve the pressure they're getting from these actions; they do. But people shouldn't be raising their pitchforks in the name of privacy when there are legitimate reasons for what Google is doing.

I don't want to sound too stupid here (although it may be too late for that), but why does anyone care? I'm being serious. Who cares if some random company knows where I go on the web? I certainly don't.

1) If they are so bored that following my every move gets their rocks off, then go for it. It doesn't affect me in the slightest. I mean, let them see my movements from Google to Google News to Ars Technica to BetaNews to IMDb to...wow, I even get bored typing it in.

So your argument is essentially: "I'm not doing anything on the internet which could make me a target of persecution at some time in the future, so I don't care"? That reminds me of an old quote: "First they came for the communists, but I didn't speak out because I wasn't a communist..." I'm sure we all remember how that ended.

And for anyone who thinks there is not a smear campaign against Google please let me know.

Facebook and MS have a proven tight relationship with a hatred towards all things Goog. Microsoft obviously know the P3P Policy stuff is utter crap and completely unsupported and not a standard in any way shape or form, but because they know the media outlets will slam Google's privacy at any cost... The media lately LOVES anything bad about Google...

But find it totally crazy that nobdoy seems to give two craps about the fact that iPhone apps have full access to all your contact information (and some major players caught uploading your contact, some without any encryption) and its not a big deal... But Google having a totally anonymous cookie tracking is a HUGE freaking invasion of privacy! WTF people...

I've been reading a lot of articles about the address book kerfuffle, so I definitely think it has been a big deal; even Apple has gone out officially and said that they are going to change this.

OTOH, isn't it interesting how an app on your phone having access to your contacts is a big thing, but that every single app on my computer having access to almost every single file on it is nothing to write about? I think it shows that most people think of their phones as something personal, as their own, whereas the computer is something over there in the corner which is simply a tool, and not something which psychologically feels like it is connected to me. But I digress: The address book thing was a bad design by Apple and I hope they fix it soon.

And for anyone who thinks there is not a smear campaign against Google please let me know.

Facebook and MS have a proven tight relationship with a hatred towards all things Goog. Microsoft obviously know the P3P Policy stuff is utter crap and completely unsupported and not a standard in any way shape or form, but because they know the media outlets will slam Google's privacy at any cost... The media lately LOVES anything bad about Google...

But find it totally crazy that nobdoy seems to give two craps about the fact that iPhone apps have full access to all your contact information (and some major players caught uploading your contact, some without any encryption) and its not a big deal... But Google having a totally anonymous cookie tracking is a HUGE freaking invasion of privacy! WTF people...

I've been reading a lot of articles about the address book kerfuffle, so I definitely think it has been a big deal; even Apple has gone out officially and said that they are going to change this.

OTOH, isn't it interesting how an app on your phone having access to your contacts is a big thing, but that every single app on my computer having access to almost every single file on it is nothing to write about? I think it shows that most people think of their phones as something personal, as their own, whereas the computer is something over there in the corner which is simply a tool, and not something which psychologically feels like it is connected to me. But I digress: The address book thing was a bad design by Apple and I hope they fix it soon.

If programs on your computer started uploading content from your computer to a server without your consent you sure would see an outcry! This is just the BS I am talking about... It is a HUGE deal that any application (on your computer or phone) would ever upload any data from your device without your consent!

I'm not going to say that Google doesn't deserve the pressure they're getting from these actions; they do. But people shouldn't be raising their pitchforks in the name of privacy when there are legitimate reasons for what Google is doing.

And the "legitimate reason" is to better track their products, so their customers could target their ads better.

btw are you seriously saying Google created an iframe that auto submit's is an accident? really?

I'm not going to say that Google doesn't deserve the pressure they're getting from these actions; they do. But people shouldn't be raising their pitchforks in the name of privacy when there are legitimate reasons for what Google is doing.

And the "legitimate reason" is to better track their products, so their customers could target their ads better.

btw are you seriously saying Google created an iframe that auto submit's is an accident? really?

The legitimate reasons are to maintain logged-in status and preferences among Google products and services, which includes the +1 button.

As for the question. From Google's statement on the Safari issue, emphasis added:

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.

And, actually, thanks to sxyzzx on Slashdot for pointing out that a study by Carnegie Melon in 2010 shows that some of Microsoft's domains themselves also did not properly use the tokens in P3P. Did Microsoft block those sites from leaving behind cookies? Nope. (Page 7, if it's tl;dr.)

Every time I read about Google or Apple or Microsoft or Facebook screwing its users privacy I always remember the fake commercial in the short lived TV show Better off Ted. The fake companies name is Veridian Dynamics, but you can basically change out its name for any of the others in the commercial dialogue.

"Veridian Dynamics. Doing the right thing. It’s important. What does it mean in business? We have no idea. We know what wrong is. Actually, no, we don’t. Because we’re a successful company, not some boring ethics professor. Veridian Dynamics. Right and Wrong. It means something. We just don’t know what."

So the interesting thing about this is that it seems hard to understand how a Safari user can block this hole, in the case of IE it is very easy to close this just by going in and blocking 3rd party cookies. (It'll be interesting to see if Google starts shipping the invisible form to IE users.)

Of course much of the discussion and frothing can be avoided if you just set your browser up correctly for privacy:

- Block Ads- Block 3rd party cookies completely

You can even use Google products if you want in this configuration and they will continue to work fine. Interestingly enough Google does not get real petty about making you view their ads to use their free programs.

Android even works fine for the most part with ad-blocking enabled once you "free" your device. (And it's significantly faster too!)

Firefox seems to be the best option if you don't want to be tracked... Chrome obviously being the worst option.

It's pretty scummy of Google, that's for sure. I however, don't care because while I'm using NoScript + AdBlock on Firefox, I allow everything from Google, and most things from Facebook. I'm actually not sure how those two add-ons affect cookies. I'd imagine NoScript would disallow them unless I unblock a particular site.

It brings up a rather gaping flaw in this "security" that these browsers are implementing though. That flaw being that this "security" is just based on trust. That is no security at all and can be seen by the site lying about what the cookie is used for. If their is no actual verification for what the site is saying the cookie is used for this it's practically worthless. As anyone who wasn't going to be doing something shady wouldn't have needed this feature anyway and those who are doing something shady have no problem lying, and possibly more, about it anyway.

This would stop me from using Google products as it didn't change anything for me, but at the same time it makes me want to keep my eye on them more.

The online advertising industry will have a difficult time convincing legislators that it can police itself with this behavior.

True, if you assume that legislators need convincing of anything.

I'd interpret the challenges of P3P (and other self-policing standards) as proof that the problem the privacy trade-off and user preferences is difficult, not that politicians can solve it better than the industry.

Agreed. The point I didn't make well was that I hope this doesn't pop on the politicians radar. They can't do anything to solve this problem either. However they can attache a butt load of unrelated riders to otherwise useless legislation. That's how they can do real damage to emerging internet business models.

It's pretty scummy of Google, that's for sure. I however, don't care because while I'm using NoScript + AdBlock on Firefox, I allow everything from Google, and most things from Facebook. I'm actually not sure how those two add-ons affect cookies. I'd imagine NoScript would disallow them unless I unblock a particular site.

It brings up a rather gaping flaw in this "security" that these browsers are implementing though. That flaw being that this "security" is just based on trust. That is no security at all and can be seen by the site lying about what the cookie is used for. If their is no actual verification for what the site is saying the cookie is used for this it's practically worthless. As anyone who wasn't going to be doing something shady wouldn't have needed this feature anyway and those who are doing something shady have no problem lying, and possibly more, about it anyway.

This would stop me from using Google products as it didn't change anything for me, but at the same time it makes me want to keep my eye on them more.

The only issue is the default settings in these browsers.. if you disable 3rd party cookies completely IE does not use the P3P stuff at all and Google can lie all they want, their cookies will still be blocked.

BTW, Facebook also works fine if you block them. No one is forcing you to stare at Ads to use Facebook or Google. These companies give their product away, why feel any need to let them track you and spam you with ads if they don't care about having the ads blocked?

If it were just Safari, or IE, it would almost look like a simple 'oops!' for Google. But the fact that Google used different tricks to gain the same results in two rival's browsers seems a bit damning.

It is a bit confusing to me where the blame is, though. Are the browsers defective? Is P3P defective by design? Is Google really using clever hacks to exploit these browsers? Or is Google just doing something that doesn't agree with their public, human readable privacy policy says?

If it were just Safari, or IE, it would almost look like a simple 'oops!' for Google. But the fact that Google used different tricks to gain the same results in two rival's browsers seems a bit damning.

It is a bit confusing to me where the blame is, though. Are the browsers defective? Is P3P defective by design? Is Google really using clever hacks to exploit these browsers? Or is Google just doing something that doesn't agree with their public, human readable privacy policy says?

+

that's pretty much how I'm feeling about it.

If it helps, people have been saying p3p is poor for over 10 years now.

So the interesting thing about this is that it seems hard to understand how a Safari user can block this hole, in the case of IE it is very easy to close this just by going in and blocking 3rd party cookies. (It'll be interesting to see if Google starts shipping the invisible form to IE users.)

Of course much of the discussion and frothing can be avoided if you just set your browser up correctly for privacy:

- Block Ads- Block 3rd party cookies completely

You can even use Google products if you want in this configuration and they will continue to work fine. Interestingly enough Google does not get real petty about making you view their ads to use their free programs.

Android even works fine for the most part with ad-blocking enabled once you "free" your device. (And it's significantly faster too!)

Firefox seems to be the best option if you don't want to be tracked... Chrome obviously being the worst option.

This is the entire problem in the first place. That when you DO have your browser to block 3rd party cookies Google is doing a work around to set them anyway.

And, actually, thanks to sxyzzx on Slashdot for pointing out that a study by Carnegie Melon in 2010 shows that some of Microsoft's domains themselves also did not properly use the tokens in P3P. Did Microsoft block those sites from leaving behind cookies? Nope. (Page 7, if it's tl;dr.)

Simply pointing out that Microsoft sent invalid P3P headers is meaningless. The invalid tokens are ignored. The problem with what Google, Facebook (and apparently Amazon according to that pdf) are doing is that they send only invalid tokens so that the browser will see that they are sending a P3P header but assume they aren't doing anything with the cookies since there are no tokens recognized. Microsoft's P3P headers pointed out in that research are incomplete, not fraudulent.

Wait a second here. The point of this was to let Google apply manually chosen preferences for logged in users. Same for the Safari issue where it enabled the +1 button for logged in users. Unless I am missing something, how is this a breach of privacy exactly? (genuine question) If I see the +1 button on an ad, of course it's going to link to my Google+ account, what else would it?

Unless I am mistaken (big unless: wait for it, often a possibility), Google's cookie set an expiration date *even when clicked for logged off users* so that, if the user ever logon, the cookie would have advantage, or take effect, for that logged on user. A lay-in-wait for up to 24 hours, as I recall. (Now: where did I read that?)

Since the only purpose for Google's products is to gather information to sell, I would imagine that their own browsers, both for Android and other OS's,will allow whatever will make Google money.

It's about time that Google is forced to stop doing this. We had the scandal with Street View cars stealing passwords and other information. google there too said it was an accident. But it couldn't have been, because the software that was doing that had been developed at Google for that very same purpose They even patented it! It had to use for Street View at all. My thoughts on that was that Google never thought it would be discovered. I believe that possibly the entire purpose of Street View wasn't to make things easier by allowing people to see streets, it was to enable a way for them to use that spy software, and gather the information.

Google just goes on and on with stealing from companies and individuals. Will the government ever stop them?

And, actually, thanks to sxyzzx on Slashdot for pointing out that a study by Carnegie Melon in 2010 shows that some of Microsoft's domains themselves also did not properly use the tokens in P3P. Did Microsoft block those sites from leaving behind cookies? Nope. (Page 7, if it's tl;dr.)

Simply pointing out that Microsoft sent invalid P3P headers is meaningless. The invalid tokens are ignored. The problem with what Google, Facebook (and apparently Amazon according to that pdf) are doing is that they send only invalid tokens so that the browser will see that they are sending a P3P header but assume they aren't doing anything with the cookies since there are no tokens recognized. Microsoft's P3P headers pointed out in that research are incomplete, not fraudulent.

Actually, two sites (msn.com and live.com) had missing tokens required by the spec; two other sites (microsoft.com and windows.com) had invalid tokens (CUSo) included with valid tokens. Granted, CUSo was a valid token at once; it has since been deprecated. Besides the point; IE's implementation of P3P makes it so that, if the header contains invalid or incomplete tokens, it lets the site save cookies. That's not at all how P3P is supposed to work.

Pointing out that Microsoft isn't taking the time to properly assign the correct tokens for the implementation seems to imply that they, too, aren't really taking P3P seriously. Which makes pointing out that Google is improperly using P3P a sledgehammer against the competition. Do as I say, not as I do.

Ok, lying is a strong word. But what do you call saying "true = not true"? Google knows that can't be true so it is a kind of lying. Google choose to send the P3P and thereby knowingly circumventing the "block all cookies from sites without a compact privacy policy" setting in IE. On the other hand, IE should check the validity of the P3P before trusting it.

Just because someone is an Android fan doesn't mean they support their policies you half wit. You see unlike Apple zealots most fans of Google wares aren't "all in" I like Android. But if this is true. Google can get bent.

Yeah, right. fandoids are worse than Apple fanatics. Your reply shows that. He wasn't even talking about people, but the browser. You're so quick to rebuttal him though. It bothers you that much?

So they send a cookie, say it isn't a privacy cookie, explain why on their web site, then the first two posters, one of which started today, say Google is evil. I find it rather hard to be alarmed of something that is posted and explained in plain site (sic).

Rich. Especially coming from Microsoft who enjoyed destroying other companies.

Just because someone is an Android fan doesn't mean they support their policies you half wit. You see unlike Apple zealots most fans of Google wares aren't "all in" I like Android. But if this is true. Google can get bent.

Yeah, right. fandoids are worse than Apple fanatics. Your reply shows that. He wasn't even talking about people, but the browser. You're so quick to rebuttal him though. It bothers you that much?

Yes, the apple fans say the *other* ones are worse, while the *other* fans say apple fans are worse. What a surprise.

Oh wait, when was the last time you saw a MS or Google or Android logo on someone's car?

Since the only purpose for Google's products is to gather information to sell, I would imagine that their own browsers, both for Android and other OS's,will allow whatever will make Google money.

It's about time that Google is forced to stop doing this. We had the scandal with Street View cars stealing passwords and other information. google there too said it was an accident. But it couldn't have been, because the software that was doing that had been developed at Google for that very same purpose They even patented it! It had to use for Street View at all. My thoughts on that was that Google never thought it would be discovered. I believe that possibly the entire purpose of Street View wasn't to make things easier by allowing people to see streets, it was to enable a way for them to use that spy software, and gather the information.

Google just goes on and on with stealing from companies and individuals. Will the government ever stop them?

When did street view steal passwords? You need to stop reading apple insider so much there bud.

As for the question. From Google's statement on the Safari issue, emphasis added:

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization.

err .. that could easily be solved by passing a unique identifier in the query string... web programming 101....When users say they don't want 3rd party cookies, they mean they don't want it.

Since the only purpose for Google's products is to gather information to sell, I would imagine that their own browsers, both for Android and other OS's,will allow whatever will make Google money.

It's about time that Google is forced to stop doing this. We had the scandal with Street View cars stealing passwords and other information. google there too said it was an accident. But it couldn't have been, because the software that was doing that had been developed at Google for that very same purpose They even patented it! It had to use for Street View at all. My thoughts on that was that Google never thought it would be discovered. I believe that possibly the entire purpose of Street View wasn't to make things easier by allowing people to see streets, it was to enable a way for them to use that spy software, and gather the information.

Google just goes on and on with stealing from companies and individuals. Will the government ever stop them?

When did street view steal passwords? You need to stop reading apple insider so much there bud.

do a search on any search site for "google streetview steals passwords." they admitted it.

Ok, lying is a strong word. But what do you call saying "true = not true"? Google knows that can't be true so it is a kind of lying. Google choose to send the P3P and thereby knowingly circumventing the "block all cookies from sites without a compact privacy policy" setting in IE. On the other hand, IE should check the validity of the P3P before trusting it.

Maybe you are correct that they should check the validity, however doing that would mean they have to break the P3P specification that states that any errors in the P3P policy sent by the server should be ignored and the P3P data should be treated as empty content (empty as in the server saying that the collected data will not be used for anything). Trying to "semi-intelligently" parse the content leads to a little more overhead, a little higher possibility of bugs creeping in as well as the risk of the application making the wrong guess and therefore misusing the users trust.